suite: Role Based Access Control release: name: my-release namespace: my-namespace templates: - rbac.yaml tests: - it: test default number of documents asserts: - hasDocuments: count: 4 - it: disable auto reload set: controller.sidecars.configAutoReload.enabled: false asserts: - hasDocuments: count: 2 - it: disable rbac create set: rbac.create: false asserts: - hasDocuments: count: 0 - it: Role schedule-agents documentIndex: 0 asserts: - isKind: of: Role - equal: path: apiVersion value: rbac.authorization.k8s.io/v1 - equal: path: metadata.name value: my-release-jenkins-schedule-agents - equal: path: metadata.namespace value: my-namespace - equal: path: rules value: - apiGroups: [""] resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["pods", "pods/exec", "persistentvolumeclaims"] verbs: ["create", "delete", "deletecollection", "patch", "update"] - it: RoleBinding schedule-agents documentIndex: 1 asserts: - isKind: of: RoleBinding - equal: path: apiVersion value: rbac.authorization.k8s.io/v1 - equal: path: metadata.name value: my-release-jenkins-schedule-agents - equal: path: metadata.namespace value: my-namespace - equal: path: roleRef value: apiGroup: rbac.authorization.k8s.io kind: Role name: my-release-jenkins-schedule-agents - equal: path: subjects value: - kind: ServiceAccount name: my-release-jenkins namespace: my-namespace - it: Separate Agent Namespace set: agent.namespace: agent-namespace asserts: - equal: path: metadata.namespace value: agent-namespace documentIndex: 0 - equal: path: subjects value: - kind: ServiceAccount name: my-release-jenkins namespace: my-namespace documentIndex: 1 - it: Role casc-reload documentIndex: 2 asserts: - isKind: of: Role - equal: path: apiVersion value: rbac.authorization.k8s.io/v1 - equal: path: metadata.name value: my-release-jenkins-casc-reload - equal: path: metadata.namespace value: my-namespace - equal: path: rules value: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "watch", "list"] - it: RoleBinding casc-reload documentIndex: 3 asserts: - isKind: of: RoleBinding - equal: path: apiVersion value: rbac.authorization.k8s.io/v1 - equal: path: metadata.name value: my-release-jenkins-watch-configmaps - equal: path: metadata.namespace value: my-namespace - equal: path: roleRef value: apiGroup: rbac.authorization.k8s.io kind: Role name: my-release-jenkins-casc-reload - equal: path: subjects value: - kind: ServiceAccount name: my-release-jenkins namespace: my-namespace - it: enable read secrets set: rbac.readSecrets: true asserts: - hasDocuments: count: 6 - matchRegex: path: metadata.labels.helm\.sh/chart pattern: ^jenkins- - it: disable helm.sh label set: renderHelmLabels: false rbac.readSecrets: true asserts: - hasDocuments: count: 6 - equal: path: metadata.labels value: app.kubernetes.io/component: jenkins-controller app.kubernetes.io/instance: my-release app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: jenkins - it: Role read-secrets set: rbac.readSecrets: true documentIndex: 2 asserts: - isKind: of: Role - equal: path: apiVersion value: rbac.authorization.k8s.io/v1 - equal: path: metadata.name value: my-release-jenkins-read-secrets - equal: path: metadata.namespace value: my-namespace - equal: path: rules value: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] - it: RoleBinding read-secrets set: rbac.readSecrets: true documentIndex: 3 asserts: - isKind: of: RoleBinding - equal: path: apiVersion value: rbac.authorization.k8s.io/v1 - equal: path: metadata.name value: my-release-jenkins-read-secrets - equal: path: metadata.namespace value: my-namespace - equal: path: roleRef value: apiGroup: rbac.authorization.k8s.io kind: Role name: my-release-jenkins-read-secrets - equal: path: subjects value: - kind: ServiceAccount name: my-release-jenkins namespace: my-namespace